Building access control has come a long way from the days when everyone had to carry three or four keys. Big tenants such as WeWork and Dropbox are moving away from easily lost and easily spoofed key cards and toward Bluetooth-enabled technology for frictionless access.
Such technologies identify a person's smartphone and allow for things like tracking the location of visitors and checking that everyone has left the building during an evacuation (even when evacuating, most people still grab their phone).
Security Concerns Smart Access can Address
Smart access can address a number of existing security concerns:
- Key cards and key fobs have proved a poor solution to the problem of access control. Cards and fobs still have to be carried around and can easily be lost. Even worse, people may not notice that they have lost their key until they need it, possibly the next morning. We have all seen building access cards left on the ground or next to the sink in restrooms. In fact, a typical 40,000 person company loses over 10,000 cards or fobs in a single year. Phones are less likely to be lost, loss is far more likely to be immediately noticed, and remote wipe can remove the software from a lost or stolen phone. Another option for companies is to move to biometrics. However, while biometric identification may well be part of the wave of the future, it has legitimate security and privacy concerns. Facial recognition can be fooled with makeup and hairstyles. Also, current biometrics are far from frictionless and take longer to pass through than swiping a card or a fob. Stored biometric data is also of extreme value to hackers.
- Smart access technology can address the issue of tailgating. Tailgating is when an unauthorized person follows an employee into the building. Security guards do not always prevent this and turnstiles are only suitable for some building designs. With frictionless access control it is harder for somebody to get in behind an employee, because it takes them so much less time to get through the door, although some people will hold the door open for those behind them (and may feel unsafe not doing so). Other technologies can be used, such as surveillance cameras that flag anyone walking in behind an unauthorized person who's phone is not giving off the right signal.
Security Concerns that Need to be Mitigated
However, smart buildings have some other security concerns, which need to be dealt with when using these systems.
- Siegeware. It might seem like something out of science fiction, but it is possible for a hacker to get into building automation systems and reprogram them. Bad actors are already using this for a variant on ransomware, although it is likely that some threatening messages are nothing more than scareware, with no actual hack having taken place. A hacker could, for example, shut down all of the elevators in a 30 story building. Or simply lock the doors in the middle of the night so nobody can get in.
- Digital infrastructure attacks. In a more general sense, somebody could hack your building and inconvenience or even endanger your employees. For example, they might turn off the air conditioning on a particularly hot day. In the past, building-critical systems were isolated from the internet. This is no longer the case. There have already been several compromises, and an IBM penetration testing team was able to access the management systems of a smart building easily.
What is the best Path Forward for Building Managers?
It's vital that buildings move on from key cards and fobs and into a modern setup that relies either on the smartphone devices we carry daily or on biometrics. As biometric technology advances, seamless access without any kind of device becomes feasible, with the building opening the door when an authorized person approaches and closing it behind them.
However, building managers also need to address the very real security concerns. Ensuring that buildings are not vulnerable to siegeware and other infrastructure attacks may require security that speaks to and involves every device in the building, including devices we don't normally think of as "computers" such as printers. Protecting from attacks involves things from the simple (making sure no devices in the building still have the default user credentials) to protecting admin logins with two-factor authentication to educating employees on the human aspects of cybersecurity. It also means watching for mistakes made by others and learning from them, studying how data breaches and infrastructure attacks happen so that you can not be the next statistic.
For many building owners and managers cybersecurity falls outside their personal training and while in-house staff can do a reasonable job, if you are installing tech-based access control you may need help, both with initial design of the system and ensuring it will meet your needs and with ongoing maintenance including security. At the very least, managers should be ready to run a full security audit using a reputable outside contractor. You also need to install a system that does not require taking half of the walls apart to run new wiring.
Your tenants have requirements about both security and productivity that are not what they were five years ago and may not be the same five years from now. Security systems need to be smooth, frictionless, secure and, as much as possible, future proofed. Doing this right will attract and retain office tenants and provide them with an experience that they will want to share with others.